CVE-2022-39309

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 21.1.0

Description The issue affects GoCD, a continuous delivery server that automates and streamlines the build-test-release cycle for continuous delivery of products. It leaks the symmetric key used to encrypt/decrypt secure variables/secrets in the GoCD configuration to authenticated agents. A malicious or compromised agent may expose this key from memory, potentially allowing an attacker to decrypt secrets intended for other agents or environments if they also obtain access to encrypted configuration values from the GoCD server.

Recommendations For versions prior to 21.1.0, update to GoCD version 21.1.0 to resolve the issue. At the moment, there are no known workarounds for this issue.